Who do I need?

    0x00 Foreword

    Inspired by a recent post on Client Banking Security. I read the comments and realized that this topic was apparently poorly covered on Habré. Dedicated to everyone who likes to shout, “What can a hacker take on my computer,” “Yes, who needs me.” What's happening? And most importantly, how do money flow from accounts? Interesting? Welcome to habrakat.



    0x01 Malware, cunning and merciless.

    While the cunning Khabrovsk people put antiviruses, Linux and other protective equipment, the creators of the Malvari do not sleep and improve their creations day by day. Some of them are admirable, they are elegant and beautiful. And dangerous. If earlier all the “visible” danger consisted only in software corruption, today, thanks to the spread of MasterCard and Visa, the motives of the criminals have shifted to the financial sphere. Everyone has already heard about the work of the legendary Zeus / Conficker and other prominent representatives of the malware “community”, but it seems people still do not understand what is happening. While some rely on SSL certificates, others rely on one-time passwords ... The trouble comes from where it was not expected.

    With active surfing, picking up malware is not a difficult task, as a rule this is due to the so-called exploit packs, and when a person visits a compromised page (by the way, this may well be the page of a thread of a known Internet resource), a bunch of different attacks are applied to his browser, The main goal is to throw malware itself or its downloader onto the surfer system. After the animal has settled on your system, it waits. Waiting for a browser with an online client-bank to open before him. And then the fun begins.

    0x02 Inside an online client bank.

    The first time you enter a client bank from an infected machine, the malware performs reconnaissance of the area. Using XSS or some other method, it loads JavaScript written for this particular bank. And with it, it collects all the information just by walking around the DOM. What is going to? Everything is collected - the name of the cardholder, balance, all kinds of transfers from and to the account. Aggregated information is then sent to attackers. After that, the malware falls asleep again and waits for further TsU.

    Further CUs come in the form of information processed by a person - where and how much money to send. After that, the malware begins to wait again, but again without the goal of draining your hard-earned money. In this example, we will analyze the case of all your favorite one-time passwords, which give a certain illusion of security. When it comes time to type a one-time password, the malware cunningly accepts the data in the form caused again by tricks of the attackers, that is, in fact the first password goes to the left, and the user is shown a beautiful page about the authorization error, after which they are asked to enter the next one-time password. The second password also goes past the addressee, but the user gets to the bank client page authorized by the first password. Again, the Malware closely monitors the user's actions, comparing upcoming actions and changing the balance. Let's say the balance is enough for him to make the necessary transfers. He is waiting for the user to exit the client bank. And after without any user intervention, he logs in with the second password entered, then with a series of POST / GET requests, he sends money to drop accounts. Saves the delta on the change in balance and other necessary data. And waiting again.

    When the victim visits his client-bank again, the malware presents him with a beautiful page, taking into account the difference in the money withdrawn. The victim sees that all the money is in place, the left postings due to the action of the next JavaScript are not displayed, all sorts of buttons like “Save my actions to a text file”, etc., etc., are also not displayed, therefore, does not raise a panic. Meanwhile, the malware keeps track of the balance replenishment, and if this happens, then the scenario for clearing the electronic wallet happens again. In fact, the victim may lose his savings account and savings for a very decent period of time, thinking that his account is growing.

    0x03 Instead of a conclusion

    I specifically did not consider all types and methods of malware in relation to online banking clients, since there are a great many of them and there is no point in describing them. Other schemes other than those described here also exist. This information is provided for informational purposes only, in order to clarify some of the “safe” online banking. I can only add that almost all modern methods of protection successfully cost carders. So, keep your PC clean and attentive to the use of the online banking client and don’t think that nobody needs you.

    Also popular now: